Infosec from @rattis' point of view

Monthly Archives: April 2014

I’ve read a few other biographies and case histories from people that work at the CIA, but this one wasn’t as interesting as those. I understand that the book had to go through Pre-Publication review at both the FBI and the CIA, but what was left was mostly Mr. Lynch complaining about each and every job he had. I understand that things had to be taken out, and he would point out that parts were cut by the agencies, including one whole chapter. While there was some entertaining things in the book, and some insights, the part of the book I was most struck with was the Bureaucratic Behemoth that he felt he was fighting against.

Over all, I wasn’t impressed with this book. Mr. Lynch worked for Robert Hanssen, and worked with Aldrich Ames while they were active in spying against the US, but his unit’s didn’t track down the spies in the organizations, even though their job was supposed to be Counter Intelligence.

I keep forgetting, that my university teaches All Source Intelligence Analysis, not just Open Source, but it is easy to forget when OSINT so prevalent. The school’s classes, and the IASA club does do others.

Yes we do lots of OSINT, and Social Media / Cyber Intelligence looking at the social media sites, ip address related tools, and the logs of the servers. However, we also use other for Cyber Intelligence to see what’s going on, on the servers. We use the logs, the open connections, what’s odd.

We do use tools to track wireless signals, mostly for wifi, but there are a few people at the school, in the IA program looking at more than just wifi. They even ran a Fox Hunt (hid a radio and had people go find it). We use packet captures on networks and on servers to see what is going on, on the wire.

We do Human Intelligence probably the most without realizing it. Any time we have to interact with someone, usually as a customer on the phone. We have to elicit the information needed from them. There is lots of cruft to discard to get the data we need, but we can’t fix their issues until we do. We don’t have to be help desk to get that level. Sure we’re not turning people, to help us spy on things, but it’s still getting the info, finding what is realization via analysis, and then having and end “product”.

I know I’ve used Google Earth to find information, by looking at the images, and building out from there. Where I want to live, aerial views of crime locations, working with a team to plot those locations.

Ok, so I can’t think of anything where MASINT comes in to play, at least not off the top of my head, but I’m sure there is something. I’m sure that mapping out nuclear bomb blast radius for Disaster Recovery at work does not count. Don’t ask, but like I said, I’m pretty sure it didn’t count. I didn’t do measurements and used someone else’s tools on the web which just overlaid on Google Maps. I don’t have a way to test and validate, well I guess I could doing OSINT at a library, and then mapping by hand once I understood the bomb blasts radius.

I must remember, the degree program taught me things that I don’t think about daily too.

So at some point, copy write / library of congress page says 2007, Tony and Jonna Mendez wrote a book for the “Scholastic Ultimate Spy Club”. It’s a basic little book written for kids, on the basics of tradecraft. The book title is “Gather Info, Getting the Scoop by Using Your Wits”. When I first saw it on Amazon, I was expecting an adult book on tradecraft, not a kids book.

Since the book arrived last week, without the spy glasses (mirrors on the inside), I kept asking why I paid that much for an out of print kids book. I however went through it in one sitting tonight, since it was 32 pages, and actually was happy with the purchase. The majority of the stuff in it I knew how to do already. Not surprising since this is written for kids. I did have some flash backs to my own mis-spent youth in the 80s and 90s.

The Visual sweep technique, while only one page was really useful. I’m going to put that in to more practice. Short version, stand in the door, look over the room left to right, and observe. Granted I do something like this already, maybe not always left to right, usually as a whole, but still nice to read.

Is it worth the price you’re going to pay for it if you order from a re-seller on Amazon? No, but I bought it because I want to have all of Mendez’s books, for a proper and complete collection. Although, if it had the glasses it would have been even better. There was even a page on OSINT.

A running theme I noticed as of late has been the “it’s not broken, because it’s working, so don’t touch it you’ll break it”. John Strand mentioned it, when talking about Windows XP hitting end of life, on Paul’s Security Weekly 367. Ben Ten and I talked a little about it today in regards to HeartBleed. Lastly I just got off a 4 year project that existed mainly because it wasn’t broke, so don’t fix it.

Here is the problem. IT / IT-Security sees something as “broken”, when it is at end of life / end of service. When we can’t get parts for it anymore, when patches aren’t being made, etc, we say we have to replace it. We say it’s “broken”, or at risk, etc. However that’s not how management sees it. They see it as a system that is still doing what it was purchased to do. It’s not broken, it’s just old but works fine.

IT / IT-Security doesn’t get to say when it’s broken, it’s the “business” that gets to say when it is broken. However it is usually our fault, as IT for not having a new system in place when it finally stops doing what it was purchased for. A good example is a publishing company I worked at. We had Reel to Reel microfilm duplicators, these were devices that the company making them went out of business. They ran NT4. The last I heard, they were still working like a champ, and the company still didn’t see a reason to invest in something new, because those were not broken, they were just old.

To a point it seems a little silly. Company’s get to write off new equipment via deprecation. Investing in what they need to have to do business makes good business sense. But we live in the cut to spending and the bottom line in the name of profit world, so we end up seeing the don’t fix it if it’s not broke attitude come out.

Like I said I just finished a 4 year migration project, I only worked on it the last 9 moths, but every single person I had to interact with, to migrate said the same thing. This solution works, migrating will cost us time and money, we’re not moving because doing so will stop the production lines of the product the company makes. The “business” backed those people, because without justification, they said things would stop. The stance the “business” took was, the old stuff is working today it is old, but not broken. Don’t fix it.

Preventive maintenance is like getting your teeth cleaned. You don’t do it because you like it, or can afford it. You do it because the cost of prevention is cheaper and less painless than the alternative. You don’t fix things when they’re broken, you fix them before they break so they don’t break. We need to learn to tell the business that in better terms than we have now in both IT and Cybersecurity.

For the last several weeks, I’ve been working with three other students from Eastern Michigan University’s Information Assurance program researching and mapping the Campus’ Crime Stats. If people take the time to look, they can find a map of the last 60 days and the daily crime logs for the last 60 days. We’re looking beyond those, but it’s interesting none the less.